commit 468e9831d5c7b99a2dc20b66d881f43ecb0a424b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 22 17:41:12 2025 +0200
firewall.cgi: Add dropdown to add WireGuard peers to a firewall rule
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 37174e29de670a33f9be4b90c88b0a96c695dad1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:55:46 2024 +0200
wireguard.cgi: Normalize filenames
This is because Windows clients won't import any configurations that
have spaces in the filename. Therefore we replace it and remove anything
else unwanted on the way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 06dbc836a47160d51ab10f8b9d4ca356beaa7cdb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 18:06:47 2024 +0200
wireguard.cgi: Add a basic CGI to configure the global settings
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:31:43 2025 +0200
firewall: Collect all networks that should not be NATed in an array
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
readhash is added in functions, but it appears not used
in initscripts except for testing, assume no impact to
bpfire initscripts.
commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon Mar 31 16:35:26 2025 +0200
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:17 2024 +0000
initscripts: readhash: Fix handling = signs
The function expected that a line only contains exactly one equals sign
(=) which is not fit for purpose. In the WireGuard code we hold key
material that is encoded in base64 and therefore contains padding that
uses =.
This patch fixes that we expect exactly one equals sign immediately
after the key and we will then accept more = in the value - which was
already permitted.
Furthermore, this patch fixes the splitting if the key and value at the
first =.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Dec 6 16:42:16 2024 +0000
initscripts: readhash: Only strip quotes if they exist
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 80c1cb5a0a
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:44 2024 +0200
initscripts fkt: Fix shebang
We use features only available in bash. So we should state correctly
that the script should be executed in bash. As sh is a symlink to bash
this makes not differences on a ipfire system. But my linter is less
chatty with this change.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 14ecdd86f1
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:43 2024 +0200
initscripts fkt: keep readhash compatible with older implementation
With the use of eval BLUE_DEV='blue0 net0' stored "blue0 net0" in the
variable BLUE_DEV not "'blue0 net0'"
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f1d94e7457
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:42 2024 +0200
initscripts fkt: readhash should only parse lines with a =
A line without a = is clearly invalid.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9f72b7bc5f
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:41 2024 +0200
initscripts fkt: Check for invalid values in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 02254f5543
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:40 2024 +0200
initscripts fkt: ignore invalid keys in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d289bc28be
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:39 2024 +0200
initscripts fkt: Ignore comments in readhash
As '#Another Comment' is a valid key we test this change by checking if
the comments do not end up as keys in our array.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 59e3c2a217
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:38 2024 +0200
initscript fkt: ignore blank lines in readhash
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 96bb3ba8b8
Author: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sun Jun 16 18:02:37 2024 +0200
initscript functions: add readhash
To avoid the usage of eval and to store the config in an key value
array, we introduce an new function. The tests only check if we
read the correct value to the correct variable.
One comment on the implementation as this has created some headache:
>From https://www.gnu.org/software/bash/manual/bash.html#Bourne-Shell-Builtins
"When used in a function, declare makes each name local, as with the local command, unless the -g option is used."
So we need to use -g here
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db09ea9e5c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:35:39 2024 +0100
initscripts: Don't overwrite the PID file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5900a95059
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:31:49 2024 +0100
initscripts: Fix reading PIDs
An incorrect variable has been used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6e47a143c9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:30:33 2024 +0100
initscripts: Handle command arguments as array
For some reason, the function is refusing to launch a command that has
extra arguments.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ed91103e22
Author: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed Mar 27 20:39:17 2024 +0100
initscripts: Add generic function to get the filesystem type of a volume
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit c3019331df
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:59:34 2024 +0100
initscripts: Implement storing PIDs in loadproc
Some programs do not write their own PID files any more, but since our
initscripts heavily rely on those, this extension allows to store it
easily.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
commit dd8ef8cc10
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Jan 11 15:57:50 2024 +0100
initscripts: Fix wrong variable check for $PIDFILE in getpids
getpids() checked whether it needed to pass a pid file to pidofproc, but
the check was inverted.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit fc32e7b9147d2eeeb6e2bc1497859fb050001eb5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 16 16:20:55 2024 +0200
firewall: Automatically open ports for WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 459bb750298c09990c0c8d4677f0f442887304d0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Apr 26 14:30:44 2025 +0200
wireguard: Automatically apply MASQUERADE for peers with local address
In this case we are the client and we cannot leak any local subnets.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit 43867c1e070fc96420a666b0bb21182eff16787b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Apr 27 18:30:59 2025 +0200
wireguard: Add a custom routing table for peers
This is a dirty hack to make connections to VPN providers actually work.
We mark all WG packets after encryption and use a secondary routing
table to look up any routes to the peers. That way, we can replace the
default route in the main routing table without having to care about the
special routes there.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
following commit made changes to networking functions
commit 76ea485d9edb781328e307c68b1f878d933408e5
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Sep 27 17:39:22 2024 +0200
wireguard: Select the correct source IP address for N2N peers
This is so that the firewall chooses the correct IP address when trying
to establish connections to the remote networks.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d99826dc71
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 24 10:33:22 2024 +0200
suricata: Enable scanning IPsec packets
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db151ad716
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun Sep 22 17:08:03 2024 +0200
suricata: Add support for zones having multiple interfaces
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1b7d1abdf0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:50:15 2024 +0200
suricata: Add option to scan WireGuard
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 79cce701a9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Sep 10 10:40:28 2024 +0200
suricata: Restore the interface selection
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3f863ee70d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat Mar 23 14:32:30 2024 +0100
initscripts: Add some basic functions for IP address maths
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e340d393d3
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Fri Mar 22 17:40:15 2024 +0100
network: Don't include initscript headers twice
Everywhere we import the functions, we have already imported the
standard includes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
upgrade to 1.9.10 and enable ebpf AF_XDP
We use xdp-loader to load dnsdist_xdp.bpf.o for dnsdist running
AF_XDP:
xdp-loader load green0 -P 90 -p /sys/fs/bpf/dnsdist -n xdp_dns_filter /usr/lib/bpf/dnsdist_xdp.bpf.o
so the xsk v4/v6 destination map would be:
/sys/fs/bpf/dnsdist/xskDestinationsV4
/sys/fs/bpf/dnsdist/xskDestinationsV6
but dnsdist-xsk.cc has:
static std::string getDestinationMap(bool isV6)
{
return !isV6 ? "/sys/fs/bpf/dnsdist/xsk-destinations-v4" : "/sys/fs/bpf/dnsdist/xsk-destinations-v6";
}
we can't use xsk-destinations-v4/v6 in dnsdist_xdp.bpf.o because bpf map
could not use '-' in map definition, '-' would result in compiling
error.
so we patch dnsdist-xsk.cc to use xskDestinationsV4/V6 that matches the
map name in dnsdist_xdp.bpf.o
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
preparation for pwru:
mount -t debugfs none /sys/kernel/debug
echo 0 > /proc/sys/kernel/kptr_restrict
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
pwru requires golang > 1.24.1
Delete existing build/usr/lib/go directory before upgrade go
rm -rf build/usr/lib/go
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
commit f89feeb19 "kernel: use BPFire logo in kernel" replaced
ipfire logo with bpfire logo, but forgot to add the bpfire logo
file and remove the ipfire logo file
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
test out the new loxilb with fix for kernel 6.12 issue
git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git
mv loxilb loxilb-0.9.9
tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9
mv loxilb-0.9.9.tar.gz <BPFire source>/cache
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
loxilb 0.9.8 requires --egress flag for firewall
rule to masquerade/SNAT GREEN network source IP
for Internet access. to access host in RED network
another firewall rule is required. see [0].
[0]: https://github.com/loxilb-io/loxilb/issues/957
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
now x86 and loongarch64 share same user space
xdp_sni xdp_dns program with path argument to
bpf map, change xdpsni and xdpdns init script
with bpf path argument.
Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
